ietf-mta-filters
[Top] [All Lists]

Re: Comments on draft-homme-sieve-variables-01.txt

2003-04-19 06:40:05

[Simon Josefsson]:

  IMHO it is useful if all common pitfalls that lead to security
  problems are discussed.

well, I don't think this is the place for it, it would fit better in a
revision of RFC 3028, or an informational RFC.

  >>    For an example of a less general than expected test,
  >>    consider looking for Subject: containing "MAKE MONEY FAST"
  >>    to filter spam into a separate folder, and an incoming
  >>    message having a Subject: of "=?CP-1252?q?MAKE_MONEY_FAST?=.
  >
  > I believe that message should be filtered just fine.
  
  How?  Compare the following from RFC 3028 [2.7.2].  Assuming the
  implementation does not support CP-1252, I don't see how "MAKE
  MONEY FAST" and "=?CP-1252?q?MAKE_MONEY_FAST?=" would match.

oh, I assumed that an implementation would decode quoted-printable and
base64, but mark the string as "unknown charset".  that seems to "do
what I want" more often.

  The IDNA specification says that if IDNs are in IDN-unaware domain
  name slots, it MUST be encoded as ASCII.  Since the Sieve
  specification does not discuss IDN, all domain name slots in Sieve
  scripts are IDN-unaware.

good to know, thanks.
-- 
Kjetil T.